Security is essential, and you agree with that. You want indeed to do
a penetration test (or pentest) on your solution soon… Here are 7 questions to help you get the most out of a penetration test.
1 – Is it Better to run te the Penetration Test on the Production or Pre-production?
Running a penetration test on your production environment has a sure advantage: the audit is conducted under actual conditions of use of your website, web application, API… with the last developments set up.
However, testing the production environment can in some rare cases interfere with the normal running of your business. To avoid any risks, it is possible to realise the penetration test in an iso-production environment, an absolutely identical environment to the production environment.
Doing a penetration test on the pre-production environment is also interesting, as it is very similar to the final environment. Tests will not touch services used by your users/customers. This is particularly appropriate for critical infrastructure, for which the data or system integrity is crucial.
Finally, the important is to test the entirety of your online environment, as some environments -other than production- are accessible from internet. Those platforms can be vulnerable. They can give technical information about the production environment, lead towards elements of the production or even have flaws due to a wrong configuration.
2 – Running a Penetration Test before the End of Project Development, is it Useful?
Wanting to do a penetration test during the development of a web application makes possible to have a first feedback. Correcting flaws in the early stage is easier and takes less time (and is then less expensive) as once the service is deployed. A first pentest provides a sound basis and the project keep growing in the right direction.
Moreover, with the constant functionality evolution, we can hardly say that a project is “finished”. There will always be updates or patch to install, functionalities to add, changes in the development technologies, etc. It is recommended to run a penetration test at least for each new version or main new modification of your solution.
3 – Is Penetration Test Run on Server Configuration or only on the Code?
A penetration test challenges your web application, the server configuration, webservices, API, and more generally every service accessible online. Depending on your specific needs, a test scope is defined with your provider.
At Vaadata, we are specialised in the applicative layer, where are located most potential threats at the present time. We also test server configuration.
4 – Are DoS attacks Conducted during a Pentest?
Yes, but not on Friday (Vaadata internal policy 😉 )
More seriously, it is totally technically possible to test the resistance to DoS attack during a pentest. Depending on your demand and your needs, DoS attacks will be conducted or not.
5 – Which Technologies are Tested?
PHP, Java, Ruby, Python, C#, NodeJS… Languages are different, but logic vulnerabilities are found everywhere. Logic flaws are related to the conception of web applications, independently of the technology used. For example, problems of control of rights or XSS flaws (cross-site scripting) can be found with each technology of development.
Concerning vulnerabilities specific to a framework or a language (MySQL Injection ; MongoDB Injection…), being a pentester (security consultant) is a work that requires to know many languages, in order to test them.
6 – Who does the Corrections of the Flaws Found following a Pentest?
Developer and pentester are two different jobs. When a penetration test is realised, flaws are documented by pentesters in a report providing all the necessary details to reproduce and exploit them. This report includes recommendations on how to correct flaws, but pentesters do not do it themselves.
Developers know indeed already the project. They will be then faster and more efficient to do the needed corrections.
7 – Are the Corrections Verified?
It is interesting to verify that corrections are full and correct for each vulnerability. A check allows, moreover, to control that the corrections didn’t cause any side effect, i.e. negative consequences creating new flaws. Vaadata offers this remediation validation phase.
A penetration test has a cost, but to see as an investment aiming to avoid damages from a real attack, with losses sometimes hard to measure for data and financial losses, image degradation, etc. A pentest is a component of a global security strategy. This strategy has to be thought and planned according to each situation.